According to Andy Warhol, everyone gets 15 minutes of fame. If you’re a security consultant, maybe that 15 minutes is the chance you get, face to face with the CEO of your customer, to convince them to focus on security.

The other day I found myself in conversation with a couple of senior execs from a large and well-known security vendor. During the discussion, they made the point that oftentimes a security health check or investigation means presenting bad news. The CISO is not always going to be overjoyed by what you have to report, so you need to present your conclusions direct to the decision maker.

So, this was the challenge – how are you going to get the CEO’s attention and a commitment to action, all in just 15 minutes? Clearly, there’s no use talking about operational security – that’s the CISO’s patch. So, I mused, frame the discussion in terms of Governance, Risk and Compliance (GRC). Most organisations of any size are now quite adept at security compliance. Faced with a plethora of legislation, regulation and contract schedules and armed with a bewildering array of control frameworks and certification schemes, IT security teams spend most of their time looking backwards at what already happened. Beyond that, the Business grants authority to the CISO and his team to implement sufficient controls to enforce the corporate IT security policy. Governance is about monitoring how that decision-making process is working. Finally, the real objective looking forward should be to deploy adequate security to meet the business risk. That ought to be something the CEO cares about.

OK, so now we have a context, but what are the big issues in security for the business? I came up with a Top 3 (you may well disagree):

Consumerisation: Like it or not, staff are going to use their own devices (smart phones, tablets, home computers) in the course of their work. Of course, these devices are outside the control of the IT department, so how do you enforce security policies? What happens if the device is lost? Can you do a remote wipe (which will include the owner’s data as well as the company data)? This loss of control of physical assets and their configuration provides a toehold in the network for an attacker.

Advanced Persistent Threats: The business may find itself under attack from an APT, armed with a wide range of skills and resources and focused on a long-term (months or even years) objective. Even if the IT Security team detects ATP activity, this may only be a fleeting glimpse of what’s actually happening The business may well have no idea why it is being targetted. All the while, the APT will be syphoning off vast amounts of data, maybe sensitive business information, maybe intellectual property, but also maybe personal information belonging to the business’s clients or employees.

Cloud Services: I wrote in a previously post about the threats to security governance posed by cloud services. In many organisations, business units are adopting cloud services without the advice and support of their IT security specialists. The resulting agreements often provide little or no oversight as to how the provider will assure the security of critical or sensitive data and can place the business’ legal and/or regulatory compliance status in jeopardy.

All of these conspire to present a real and growing threat to the personal and sensitive information, stored by virtually every organisation these days. But, how to persuade the CEO that these threats are real? The challenge is to come up with a set of “world-class” questions – they don’t require an answer at the time, rather they should make our CEO reflect on what matters to the long-term health of the business. By coincidence, fellow IBMer Marc van Zadelhoff recently described his set of questions for the CISO in a blog post for the IBM Institute of Advanced Security. His candidate questions are rather more technical than what I had in mind, but that really reflects the dilemma of how to engage with the Business at a senior level. So, I thought about it for a while and this is what I came up with:

Where is your data stored right now? Can you account for every copy? If you’ve entrusted data to a 3rd party, are you sure you can get it back if you end the service? Are you sure they’ll delete it when you tell them?

Can you be sure that your sensitive data isn’t being exfiltrated by an attacker? If it was happening, would you know?

If the worst were to happen and you become the target for a large-scale, highly public data breach, do you have a credible, tested crisis plan for dealing with it? Can you withstand the reputational damage while you execute your plan?

So, that’s my list, all related to the need to protect critical and sensitive data. How would your CEO answer?

So, how was the office when you arrived at work on last Monday morning? Quiet? Like all good disasters, the eruption of Eyjafjallajökull in Iceland was the first of a cascading series of events. The eruption occurred at a time when, unseasonably the prevailing winds across the UK were from the North West (typically at this time of year, our weather comes from the South West), carrying the ash cloud over Northern Europe. In truth the authorities had no choice to close airspace until the picture became clearer. But, you know all this. The key thing, is it happened on the final weekend of the schools’ Easter holidays, leaving thousands of families stranded. Up to 100,000 Britons were caught up in the chaos, so chances are, at least some of your staff didn’t show up on Monday morning and some of them may not be back yet. It’s always inconvenient when staff are absent, but what if they’re key workers? While we’re prepared (at least to some degree) to cope with major disruptions to our IT infrastructure, or even our physical premises, there’s an increasing awareness that people also affect business continuity. When disaster strikes, the first priority is to stop events spiralling out of control and developing into a crisis. In his book “Managing the Human Factor in Information Security“, David Lacey describes how the most sophisticated organisations have standing crisis management teams and conduct regular exercises for those team, anticipating a wide range of situations, however improbable, and planning the business response to protect reputation and customer confidence. A little over a year ago, we were listening in horror to apocalyptic forecasts of the impending Swine Flu pandemic. Mercifully, that didn’t happen to anything like the level feared. But hopefully, the planning you did then (you did make plans, didn’t you?) will have helped you this week. As we emerge from the recession, staffing levels have been pared to the bone; plus, we know that many families barely cope with childcare provisions, particularly during school holidays. So, it’s prudent to assume that loss of key workers is to be a recurring problem.

To prepare your business, you need to be able to answer the following questions:

Do you know who your key workers are?

Do you know where they are at the moment?

What critical activities are they handling in the short-term?

What information do they need to keep those activities moving?

Can they access it remotely if necessary?

If a key worker becomes unavailable, who could deputise?

Do those deputies know what the priority actions are?

Can they reach the necessary information?

One important thing you could do, which is specific to the recent problem, is to provide assistance to key staff when they’re travelling, either on business or for pleasure. Until last year, I worked for a very large global software vendor. When I booked a trip through the corporate travel booking system, my itinerary and contact details were automatically passed to a partner organisation. I carried a card with telephone numbers for a 24 hour emergency contact centre and, if needed, the partner could arrange direct assistance including evacuation if needed. Once you understand the “who” and the “what”, you can turn your attention to the “where” and the “how” by preparing mitigation strategies:

Equip your key staff to work off the premises — many of your key workers may already be equipped with laptops and smart phones, to fulfil their day-to-day responsibilities. Do they need to be given additional equipment? 3G dongles or modems? Would it be wise to provide more key staff with laptops and smart phones?

Make sure your key staff have access to audio/video conferencing and online meeting facilities — Providing access to an audio conference bridge is easy to set up. You can relay the bridge details by mobile phone or email as needed. Where staff need to use this facility with customers or partners, they’ll need their own bridge account with your supplier. There are a range of online meeting systems, such as Microsoft Live Meeting, Citrix Goto Meeting or Cisco Webex. Many organisations ban the use of Skype on corporate networks, but in an emergency, it’s simple to use and many people already have access from their home PCs.

Rethink your admission control for personal devices — Organisations are understandably reluctant to let staff use personal devices (PCs, smart phones) to access the corporate network. But, in an emergency, this could be the only way to reconnect key workers, who can’t make it into the office. Consider whether you can pre-approve home PCs for some key staff (Do they have up-to-date anti-virus/spyware? Is Windows Update turned on?) and relax network admission controls to allow their use in an emergency (you don’t use admission controls? We really need to talk!)

Decide how you’ll cope with the additional connections through your VPN gateways and firewalls — The likelihood is that your contingency plans will mean a large increase in the number of staff access the corporate network from outside. It’s wise to hold discussions with the vendors of your perimeter security solutions beforehand, to decide how any licence “overdraft” can be handled.

Make sure that deputies can access all the data they need in the absence of key staff — This is a procedural issue, to provide elevated access privileges to those staff who will deputise for missing key workers. The procedures for requesting and approving elevated privilege, and for “break glass” access in a fast-developing emergency can be built into your identity and access management systems, but that’s a subject for another post on another day.

Consider how you can arrange for collaboration on key project information — I’ve written before in this blog about how you can organise information in Microsoft OneNote and synchronise it between an office PC and a laptop. I’ve also written about how this synchronisation can be extended to the iPhone. In the corporate environment, collaboration using OneNote notebooks can be managed through the (increasingly ubiquitous) Sharepoint portal. Using a combination like this, the key information needed for critical activities is shared between all the members of your team and can be accessed almost wherever they are. For now, the solution for iPhone is limited to read-only, but even that is due to be rectified very shortly.

One final thought — like all contingency plans, you need to test your arrangements. There are bound to be things you’ve forgotten and you’ll only find out what they are when you do it. Online tech news website Silicon.Com arranges periodic “Work at Home” days, where all the editorial staff stay out of the office and they try to run the business day as normal. It’s an excellent way to find out what works and what needs tweaking.